Is Captive Insurance a Solution for Cyber Security Risk Management?

Kelly Coughlin interviews Wes Sierk, President and Co-Founder of Risk Management Advisors. Wes is the author of the book TakenCaptive: The Secret to Capturing Your Piece of America’s Multi-Billion Dollar Insurance Industry. Wes is a recognized expert in using captive insurance strategies to manage and fund certain types of risk. Kelly Coughlin believes that such a strategy could be used to manage and fund cyber security risk. This is the first in a series of three podcasts covering captive insurance and cyber security risk management.

Kelly Coughlin is CEO of BankBosun, a management consulting firm helping bank C-Level Officers navigate risk and discover reward. He is the host of the syndicated audio podcast, BankBosun.com. Kelly brings over 25 years of experience with companies like PWC, Lloyds Bank, and Merrill Lynch. On the podcast Kelly interviews key executives in the banking ecosystem to provide bank C-Suite officers, risk management, technology, and investment ideas and solutions to help them navigate risks and discover rewards. And now your host, Kelly Coughlin.

Kelly: Hello this is Kelly Coughlin with the BankBosun. This is the podcast that’s the first in a series of three podcasts that are going to be related to using captive insurance strategy to manage and ensure cyber security risk and loss.

I’ve talked to many bankers over my 25-year career and I have observed in the past five years cyber security going from a concern of IT guys and techno geeks to top of mind attention and concern of CEOs, CFOs and boards of directors. In fact, I was at a conference in Kansas a while back, and a number of the sessions were on cyber security risk. I was thinking, “Well, should we go to that? Should we not go to that?” We talked to C-level execs. These sessions were all standing room only, completely filled with C-level execs.

It occurred to me that in this environment, we have potentially overpricing of all services related to the risk management of this risk including prevention, detection, hardware, software, consulting. I thought the subject of these 3 podcasts would be the transference of this risk. I think one of the areas that I detect as potentially being mis-priced is the cost of insurance, partly because the risk of loss is all over the map. We thought, “Let’s explore cyber security risk through a captive insurance enterprise.”

To help kick this series off, I am interviewing Wes Sierk, President and Cofounder of Risk Management Advisors. I came across Wes through a book that he wrote, exciting title called, Taken Captive. That sounds good so far. Here’s where it goes downhill: “The secret to capturing your piece of America’s multi-billion dollar insurance industry.”

I’m interviewing Wes remotely. He’s in Long Beach, California. Wes, you heard my introduction, and the reason you would be on this call, but let’s start with a couple of minutes on your background, how it would connect to bank cyber security risk management.

Wes: Well first of all thank you for having me on the show. I started out in the insurance business in 1993 in a division of Northwestern Mutual, which was a life insurance company called CCI, Compensation Consulting Inc. Mostly what we did there is qualified and non-qualified planning, retirement plans and deferred comp, things like that. I came across captive insurance companies in 2000. My first thought was, it was a perfect alternative to deferred comp. That’s how I got into it. My background is … I’m a researcher, so I started digging into why life insurance was all the same. It was you go to a life insurance company and you get a 45-year-old male, and you say, “How much is a million dollars of coverage?” The insurance company prints out that ledger. If you had ten agents going to the market, they would all come back with the same quote.

PNC is completely different. You actually have one broker who goes to the market for you and it’s much more of a negotiation, which leads into the pricing issues that you alluded to earlier in your call. My partner Jared and myself went on to form Risk Management Advisors in 2004 and all we’ve been doing since is just the design, implementation and management of captive insurance companies.

On a personal side, married for about 24 years, two kids, I coach baseball, and Risk Management Advisors has a Nascar team.

Kelly: Give us a definition in two sentences of captive insurance.

Wes: It’s an insurance company that a business sets up to insure their own risk. It’s pretty simple.

Kelly: It could be a bank?

Wes: Yes. Instead of them buying their general liability, their cyber, their property, all of their coverage from AIG, Zurich, Liberties of the world, they actually form their own licensed regulated insurance company and they pay those premiums to their own company. They deduct those premiums, just like they would by paying any other company.

Kelly: All right. In terms of primary motivations, my research shows that one, you’ve got access to cheap insurance rates because you’re paying them directly to your own carriers so to speak, right? You’ve got first dollar loss coverage, you can accelerate loss deductions, which appears to be a fancy term for you can over-fund the risk premium and build up tax deductible reserve. Are those the three core motivations to do this, or are there others? What’s the primary motivation to do this?

Wes: I think you hit the nail on the head. One thing it does give you, if you’re an insurance company, is it gives you access to the reinsurance marketplace.

Kelly: How much would a bank be saving? Are you talking 5% or are we talking 40%?

Wes: Well it depends on the kind of policies they’re writing and the amount of risk that they’re willing to take. One thing is, the reason why reinsurance is less expensive is because the insurance industry, insurance companies, have thousands of employees. I read somewhere that the insurance industry has three times as many employees as the US Post Office. They do a lot of the processing of paperwork and claims and things like that, so they have higher overhead. A re-insurer can get away with having 5% of the employees of an insurance company, because they only attach at a certain level whether that’s 50, 100, 250, a million, whatever. They’re not getting involved in the day-to-day operations of the insurance company and the day-to-day pay out of claims. That’s left to the insurance company level. We see, for regular insurances, I would say you could see a 30% savings over your traditional insurance.

Kelly: In the banking business we have what are called banker’s banks, and they provide banking services to banks. They don’t do anything directly with the public. So would a reinsurance company be an insurance company’s insurance company where they provide services only to another insurance company, so you cut out all of the sales process I suppose, the distribution expenses? Aren’t those the core things that are cut out plus the servicing part because they’re not dealing with million to 20 million dollar cases, they’re dealing with whatever the number is, 50 million or above, the larger ones?

Wes: You’re exactly right. Your analogy is very good. Where bankers have banker’s banks, this would be like an insurance company’s insurance company.

Kelly: If one were going to set up a captive, that entity would have to also sign up, unless they were going to absorb all of the risk themselves, which is unlikely. If they want to transfer or share some of that risk, they have to set up relationships with reinsurance companies, correct?

Wes: Correct, unless they want to take that risk themselves, which we don’t usually recommend the first couple of years.

Kelly: I suppose companies like you, this is not an infomercial for your group, but is that part of what you do, is you have these relationships and there’s probably some vetting process that you would go through to bring on a new captive client, I suppose, and introduce them and negotiate terms, etc with the reinsurance company. Is that one of the roles that your company provides?

Wes: Yes it is. Clients come to us because they want us to set up and manage their insurance company for them; deal with the departments insurance; do all of the regulatory filings and in most cases, not all cases but most cases; they’ll have us go and negotiate the reinsurance contracts for them. The good thing about reinsurance, reinsurance is always sold net of commissions, unlike an insurance policy where you pay an insurance agent, we’re just negotiating on behalf of the insurance company as a manager of the insurance company.

Kelly: That’s where the big savings comes from.

Wes: Yeah, there’s a lot of savings in that. I’m not going to begrudge brokers because brokers bring a tremendous amount of value to clients.

Kelly: There are a couple of ways to set these things up from what I can tell. You could set them up as a single parent captive or a group pooled collective type where you have a group of banks. You have a single bank, Bank A that decides, “We’re going to set this up.” It’s only one bank in there. Then you have a pooled or group approach where you have Banks A and B setting up the collective. They either do it alone or with others, like kind business I suppose, right? Is that a fair assessment?

Wes: Yeah, they either do it by themselves or they do it with other people. Then within the other people, there is many different ways they can do it.

Kelly: You know the context and setting that this call is about. It’s specific community banks, cyber security risk, captive insurance. If you had to Google this, those three terms would be in there. One other risk if you do it as a group or collective, let’s just say there are two banks in the collective – you have Bank A and B that are, let’s say they’re putting in an equal amount. Let’s say Bank A has great internal controls and risk management processes, Bank B has terrible ones. Bank B incurs all the loss and Bank A has insured it all. There part of the reason was to put in a bunch of excess premium perhaps, build up this reserve. Then you have Bank B eating up all the reserves. Is there a way that a bank can set up a hybrid of this where they could share say, the operating expenses, maybe consulting expenses, a number of things related to the entity? It could be another class of stock, something where the actual risk is only absorbed by the individual bank and ultimately a reinsurance carrier downstream.

Wes: There could be, but I wanted to go back to one point you made, which was Bank A has great internal controls and Bank B doesn’t. The issue with cyber security is many banks have good security or great security, but it’s also the luck of the draw. The person with bad security could be fine and the one with great internal controls could have that one in a million chance where somebody comes in and breaches their security or takes millions of dollars out of their company. Within the group captive there’s also cell companies. You can have a cell captive.

A cell captive is one where it basically looks at and smells like one large insurance company but each individual bank has its own cell, so they kind of wall off the assets and liabilities on a bank by bank or cell by cell limit. That could go a long way to protecting the bank. Then you go get one reinsurance treaty for all of the banks, and then you carve it off. You go get 100 million dollars of coverage and you carve it off at 5 million dollars per bank for twenty banks. The insurance companies like that because they know that if they’re writing 100 million dollars in coverage and they basically divided it at 5 million between twenty banks, they know their chance of loss is actually smaller. The frequency may be higher but the severity probably wouldn’t, and that’s where they get into the pricing. They’d much rather spread it 5 million over twenty banks, than one bank have a 20 or 25 million dollar claim.

Kelly: I accept your point that Bank A may have great controls and Bank B not, but Bank A could be hacked, right? I understand that’s a valid point, but I think in this environment what is going to happen is certainly you have the Top 10 banks, they’re the high-value targets of cyber criminals. They have the budget to always attempt to put up the adequate defenses to that. I fear what is going to happen is the less target-rich environments like community banks will, as the Top 10 banks for instance, get better at defense, then the smaller community banks are going to be the target and they don’t have the resources to fund that. It’s an expensive undertaking. where you’ve got hardware expenses, software, consulting, insurance, all of this stuff, and staff of course.

My thinking was that you set up this captive and you develop best practices. I’m going back to my PWC days in consulting, where in consulting business you’re always looking for best practices, but you develop best practices and you share the costs. You buy them properly, buy them at the right price, right terms, etc, and then you share the cost over twenty entities and not one community bank. The reality is these banks can’t afford to set up the high-level controls that a Top 10 bank can do it.

Wes: You’re exactly right. It’s the philosophy of build your ark before the flood comes. By creating their own insurance company and warehousing dollars today, because of the way the policies are written, they basically expire every 15 months. If they are the targets of cyber criminals three years from now, they would have already stockpiled a ton of money, so they can weather a claim if they have it and maybe not have to hit their reinsurance. To your point, we both know what’s happening in the cyber marketplace as far as the premium dollars in the traditional market. The reason why … it’s because insurance companies are doing the exact same thing. They’re charging exorbitant fees today because they don’t know how big this is going to be.

It reminds me of the old asbestos claims. Remember when asbestos started being a problem? All of the insurance companies started raising their rates dramatically. Then what happened was, a couple of smart insurance guys said, “You’re charging $700,000 for a million dollar general liability policy for asbestos, but if the people actually get hurt, it’s going to be a worker’s comp claim.” It’s not going to be a general liability claim, but the insurance company hadn’t thought that far ahead. They just wanted to get as many dollars in their coffers as they could in case they got hit. For cyber, you went to that conference … you’re exactly right. Five years ago it would have been just the IT people and you’d have fifteen people in the room. Now it’s actually the C-level. It’s CEO, CLO, CFO that are doing this.

Kelly: The board members are the ones that are saying, “Get to the conference. I want you there.” They’re telling their CEOs to get there.

Wes: It’s huge. It’s such a huge problem. I was just reading an FBI report on cyber crime. Their prediction is all businesses in the next five years will be spending at least 10% of their gross income on cyber for protections and hardware and software, and everything. You can’t even fathom that today, but it’s coming. Now we have passwords on top of passwords to get into password programs. They listed off that the FBI did a study and they went into the Apple iTunes store where people get the applications and they have all these password programs. 10 of the top 20 were programs that were sold that said, “Number one password protector.” They were sold and designed by organized crime, downloading these programs for their iPhone and their Androids, putting all their passwords in, all their banking information, and all that stuff was being directly fed to Russian organized crime. They don’t have to steal cartons of cigarettes anymore when they can make 20 to 30 million dollars in one financial transaction.

Kelly: Absolutely.

Wes: It’s staggering. I can see why these board members and CFOs and everyone else would be concerned about it. It’s a big issue. One of our clients was just hit with it.

Kelly: Let’s say we set up Newco captive insurance for community banks. You set up as part of this synthesis of best practices and captive insurance for cyber security. I’m going to throw in another term, “best practices.” I don’t necessarily think they’re into gouging. They just can’t efficiently price it because the risk parameters or the level of risk that they’re taking on an entity basis per entity, per insured, is all over the map. When you take in a company to join the captive … would you call them a shareholder?

Wes: Yes.

Kelly: Okay. When you take a shareholder, they have to adopt the best practices standards that the new captive insurance carrier says. Does that make sense, that would be part of the admission process?

Wes: I would say you definitely want to do that. Some insurance companies, it’s really a risk assessment for cyber preparedness. There are some insurance companies that have done a great job at this. In fact, one of them, these people developed this cyber preparedness company for Ace and Chub insurance company, as freelancers. They said, “Well we want this to make sure.” For them they realized that, “Hey, there’s a real market for this.” They basically bought company back for nothing. This was a few years ago. They’re like, “Well this isn’t going to be as big as we thought it was.” That’s all they do is analyze cyber preparedness. They give you a full report. We just had them come into ours because we have a lot of data in our stuff. We have a lot of HIPPA stuff because we run insurance companies for medical, for example. They gave us a whole big report of change this, change this, change this, and some stuff you’d never even think about. You’re like, “Whoa.” The cost to do it … I thought it was going to be very expensive but it was nothing on the scale of things.

Kelly: You just hope that they’re not owned by the Russian mob, right?

Wes: Yeah, exactly. Three of my clients had used them and the one that just got hit for cyber, their system was set up in such a way where they were instantly notified that this was happening. This was a server in Toronto. Instantly they had to switch the whole thing offline. They flew two of their internal programmers from here in California up to Toronto. They were back online in under 24 hours without an ounce of data. I’m like, “You know what? I’ve got to have your people come in and do this.” This is a company that does 100 million dollars in sales. I think everyone should be requiring this.

Kelly: I think there’s some really cool things you could do when you have many entities splitting the cost of this. I’m certainly set up best policies, procedures, all that kind of stuff. You could buy licenses. You get quantity discount, volume discounts there. There’s a lot of benefit to having a larger group in there. Even just the project team, these banks don’t have the resources to have a really good project team to do a good vendor search, for instance. That’s a costly undertaking in and of itself is, “Well what email provider should we do?” They just don’t have the resources free to do that. You threw out the 10% number. My goal would be to let’s set it up so the goal we could make that a 5% of revenue number, not 10.

Wes: Or 1%. What I was saying was, that was what the FBI’s projection of what people would be spending on their cyber stuff was. In my business, I can’t even fathom that. We spend all this money a year on hardware and software, and our business is X. If I were to extrapolate that out to say, “Well how much would we do if we did 10%?” There’s like, “There’s no way.” We could buy server hubs. We could buy everything. I guarantee you if you picked ten of your banks who listen to this, one of them is doing something great that the other nine aren’t, and so having a depository … You say, “Hey this was a great idea that this bank is doing and then you could take it over to the other one.”

Kelly: Yeah, but what happens, Wes, is that everybody is going to these conferences. They get the heck scared out of them, they come back and they talk to their IT guy and say, “You know I just went to a conference. We’ve got to start controlling this risk.” Then they look at it and realize that, “Oh this is going to cost $100,000? Oh I guess we can’t afford that.” There’s plenty of ideas out there. There are some great ideas and there is some not great ideas, but there’s loads of ideas.

Taking the idea and having the resources to actually implement is the big challenge. I believe that the captive program is a way to pull those things together buy cost-efficiently, do vendor searches efficiently. It all comes together there through that thing. Yeah, there are some tax benefits by throwing in higher premiums, that kind of thing. That’s great but I don’t think this is primarily a tax-driven … It just so happens that taxes will be favorable … favorable tax treatment. I really think it’s the cost-effective way to manage risk and to get best practices adopted in community banks throughout the country that otherwise just can’t quite afford it in their budget.

Wes: I was going to say, and you’re using double duty dollars. Right now if they buy cyber insurance from AIG, they’re not getting internal controls, they’re not getting all of this due diligence, they’re not having somebody come in. They pay them and then if there is a claim … They still on top of their premiums have to go out and do the best practices and do all of the stuff to make sure they’re secured vs. paying premiums to their own company.

Let’s say the insurance company takes 10% of all the premiums that it takes in from all the companies and then uses that to go in and install the best practices and stuff, so you’re actually using money that you would have just given to somebody else to now improve your overall business operation. We’ve had people do that with worker’s comp where, hey they can’t afford a safety guy and their worker’s comp rates have gone up, so they create their own worker’s comp company and now they use the money they were giving to Liberty and AIG and all these other companies to hire their own full-time safety person. That’s actually now just an expense of the insurance company vs them having to take money out of the bottom line of their company.

Kelly: One other thought that’s a great image that I have of you is set up this captive, you have fifty banks involved and you also fund a cyber security SWAT team comprised of Navy Seals and Rangers that are deployed in the event of some ransom war type deal, right? Then they get engaged, they’re ready to go, and then they go out and take them down.

Wes: Yeah, that’s a great idea.

Kelly: Otherwise it’s a call to the FBI and okay, they do great work, granted, but man it’d be nice to have our own team. That could be Phase 2 down the road. Anyway, let’s wrap it up. I really appreciate your time. Let me ask you this. Do you have a favorite quote?

Wes: Yeah, well I do but it’s a Ayn Rand in Atlas Shrugged they talked about Rearden Metal and it was going to be too expensive to rebuild these bridges for the trains using Rearden Metal because of the engineering. The quote was, “When men got structural steel, they didn’t use it to build steel copies of wooden bridges.”

Kelly: Good one.

Wes: I look at captives and things like that as you can use it as a powerful tool to do something in a completely different way. You don’t have to just use it for the same way you were always doing stuff. I would say that would be the first one that popped into my mind.

Kelly: What’s the stupidest thing you’ve ever done in your business career? Give people a laugh. Give people a chuckle here.

Wes: Oh, I have an album on my bookshelf. You know Bill Withers, “Lean on Me”?

Kelly: Lean on Me and “Use Me”.

Wes: I got an appointment. His wife called and wanted me to come talk about overall financial planning and stuff. I went to see him and I’m like, “I love your music. I love the movie and everything.” They’re just sitting there like uh-huh, uh-huh. The meeting didn’t go well and I left there. I had it confused with Stand by Me instead of Lean on Me. My dad found this Bill Withers album and he said, “Keep this on your bookshelf and any time you don’t know the answer, you won’t make a complete fool of yourself.”

Kelly: Oh that’s a great one! That’s very good, I love that one. All right, Wes. I appreciate your time. How can people contact you?

Wes: Yeah, my website is Risk Management Advisors. It’s riskMGMTadvisors.com and my email is WSIERK@riskMGMTadvisors.com. I create a website that’s not branded by us, but it’s captiveinsurance101.com and it just has general info on captives. You were kind enough to mention my book. The book is called Taken Captive and it’s just takencaptive.com

We want to thank you for listening to the syndicated audio program, BankBosun.com The audio content is produced by Kelly Coughlin, Chief Executive Officer of BankBosun, LLC; and syndicated by Seth Greene, Market Domination LLC, with the help of Kevin Boyle.

Video content is produced by The Guildmaster Studio, Keenan Bobson Boyle. The voice introduction is me, Karim Kronfli. The program is hosted by Kelly Coughlin.

If you like this program, please tell us. If you don’t, please tell us how we can improve it. Now, some disclaimers.

Kelly is licensed with the Minnesota State Board of Accountancy as a Certified Public Accountant. Kelly provides bank owned life insurance portfolio and nonqualified benefit services to banks across the United States. The views expressed here are solely those of Kelly Coughlin and his guests in their private capacity and do not in any other way represent the views of any other agent, principal, employer, employee, vendor or supplier of Kelly Coughlin.

.

Related

About The Author

Kelly Coughlin is a CPA and CEO of BankBosun, a management consulting firm helping bank C Level Officers navigate risk and discover reward. He is the host of the syndicated audio podcast, BankBosun.com. Kelly brings over 25 years of experience with companies like PWC, Lloyds Bank, and Merrill Lynch. Kelly earned his undergraduate degree (BA) from Gonzaga University and a master’s degree in business administration (MBA) from Olin Graduate School of Business at Babson College in Wellesley, MA. Kelly lives in Edina, MN.